Bruce's suggestions for securing public cloud infrastructure, across industries.
At Ermetic, we speak with technology leaders in a wide array of industries and segments, and have had the pleasure of bringing on many as customers. Through this experience, we’ve developed a good understanding of how the best organizations tackle the challenge of cloud security.
These discussions have been interesting because the organizational dynamics of cloud companies are different, especially in the age of COVID-19. Until recently, the status quo was that IT and IT/Info Security were more concerned with on-prem problems like endpoints and networks. Some organizations may have begun major cloud transformation projects but, with a few exceptions, these initiatives were more shadow IT regardless of how proactive their security leaders were. This approach has obviously resulted in major security gaps, especially for organizations that host sensitive data in the cloud and/or are subject to compliance requirements like GDPR, PCI, HIPAA and SoC2 (see: Capital One or Hobby Lobby).
Everything changed in 2020. This was the year that most organizations began trying to figure out how to better organize themselves to meet the growing security issues around public cloud. But, as these things tend to go, it has been messy. “Best practices” haven’t really taken hold and many organizations are scrambling to figure it out on their own. Some are looking to their cloud leaders to take responsibility for cloud security and others have strong, proactive security teams that are adapting their practices to the cloud.
Through our discussions, we’ve picked up several interesting insights:
Allow proper governance and control
Organizations need to allow their security teams to have proper governance and control in the cloud or adopt security-first cloud leadership, or both
We’ve found that the most cloud security-efficient organizations are those with strong security leaders who hold influence and authority over the organization’s cloud, followed by – especially in the case of cloud-native companies – those with cloud leaders who understand and prioritize security.
Organizations that have the most difficulty getting on top of their cloud’s security are those with very firm boundaries between their on-prem and cloud environments. Often in these companies, we work with proactive security or cloud leaders who want to effect a culture change through education.
Uncovering the current state is key to culture change
We work with these change-makers to help them understand and quantify risks in their public cloud infrastructure so that they aren’t just talking philosophically about taking a new approach. For example, we can show them that 90% of entitlements in their cloud infrastructure are excessive (a typical finding) and that Johnny from engineering can assume an EC2 role that allows him unfettered access to S3 buckets that contain all customer data. (Again, witness the data breaches referenced above.) Armed with this internal data, they can hopefully inspire the right stakeholders to come together to build a strong plan going forward.
Cloud security expertise is really hard to find... don’t wait for it
One common strategy we see emerging but that, frankly, is currently failing, is one of waiting for new cloud security teams to be built. We’ve started labeling experienced cloud security folks “unicorns” because, generally, we see job openings posted for 6+ months. This is for sure the right approach long term, but these teams should be looking for ways to reduce risk in the meantime, because it’s almost definitely going to be awhile.
Utilize tech that harnesses automation and works within your existing workflows
Regardless of organizational structures, we’re seeing that you can’t just throw people at the problem. Because of the complexity of the cloud, the amount of engineering hours required to achieve things like least privilege and/or compliance without the help of tech that harnesses automation is cost prohibitive and highly frustrating. As an example, a typical identity attached to a resource might have something like 30 lines of code for permissions in the current state, but to achieve least privilege, often needs hundreds of lines. Even small organizations typically have thousands of users and resources, so this very quickly becomes a truly Sisyphean task for anyone.
Any tech should be able to be operationalized by existing people within existing processes. Integrations with IaC, ticketing, and SIEMs as well as the ability to RBAC are a must.
The “single throat to choke” strategy is ineffective with the maturity of the market
Cloud security is reaching buzzword status and, with that, comes a lot of solution providers, large and small, all vying for share of the budget. Many are currently pitching the dream of an “all-in-one” solution. We’ve heard over and over again that this is all “marketecture.” Typically, these products do “everything,” but nothing well. Most of the time these offerings are actually separate products entirely, each with its own agent, dashboard, and alerts your team can’t possibly respond to (aka more shelfware). The lines of code example above would not be possible with these products.
The more successful teams we have engaged with understand that though it is challenging to deal with multiple vendors, a comprehensive, best-of-breed approach is far more effective at really solving the problem right now. Well-run, focused startups like Ermetic are driving innovation with solutions that help customers solve the difficult problems, today, and hit the ground running.
The market will mature eventually (probably through acquisitions) but, like the talent-gap, it will take time.
Don’t wait until the board provides a mandate
At this point, security thought leaders know that the ability to predict the future is a hard requirement for survival. Generally, by the time the board provides a mandate, it’s in response to a major incident, and we know who the casualties are. Leaders have to be more proactive than ever in looking at trends and trying to preempt threats.
In addition, due to the aforementioned constraints, it takes a long time for a strategy to become realized in terms of actual security posture. Cloud adoption is much faster and is only accelerating; to reconcile this, standard timelines need to be accelerated. This doesn’t mean planning hastily or throwing a bunch of crap at the wall hoping something sticks. But it does mean looking directly in the face of the challenge; evaluating the current state, available resources, and the market for talent/tech; planning accordingly; and moving to execution as quickly as possible.
“It is not the most intellectual of the species that survives; it is not the strongest that survives; but the species that survives is the one that is able best to adapt and adjust to the changing environment in which it finds itself.” -Leon Megginson, paraphrasing Darwin